Browser Updates and checksums -- s243a post 2014 on sone (A social network plugin for freenet)

I wonder if the NSA has their SSL/TSL key.

2 years ago

David ‘Bombe’ Roden

@s243a that doesn’t make any sense.

2 years ago

@s243a Chrome itself knows Google's public key and has been known to alert people of MITMs (e.g. the DigiNotar incident) but it's no help if you're downloading it through something better than Chrome. Getting it through a distro package manager if it's included will give you a checksum (checked automatically as well), at least with distros worth using, assuming of course that you can trust the distro.

show less

2 years ago

@Adilson_Lanpo Well, if I downloaded it through a distro package manager and also via their website then maybe I could check the file for differences. Are there such tools for windows? Some of my machines run windows and some run linux. I was thinking, perhaps it would be better if 3rd parties actually kept track of the checksum. The reason being is that if an attacker could spoof a website then couldn't they also spoof the checksum. Maybe one would be more secure if they could verify a check sum from more then one source.

show less

2 years ago

@s243a Good luck finding a windows version in a distro package manager.

2 years ago

@s243a It's not impossible, you need to check the SSL info for the download site manually. I think there are some firefox plugins that validate well-known SSL keys for MitM attacks (there are plugins that do it, but I don't remember offhand if they pre-include the key signatures or not. They remember every one you've been to and warn of changes.)

2 years ago

@Paracelsus_Clemens Thank you, I'll try to look around for them. Let me know if you remember there name. :)

2 years ago

@s243a I can't find the name of the project doing it - I could have sworn it was an EFF effort. That said, the good news is in new firefox releases (33, I think) google is pinning their root certificate. 34 pins TOR as well, and one of them should enable any site to enforce a lock on their certificate - assuming you ever reached there once safely. It's mostly useful for people doing banking on a laptop - as long as you've logged in safely once at home, no malicious "free" wifi provider can use a compromised root cert to inject a MitM attack, because your browser already knows what the certificate fingerprint should be.

show less

2 years ago

Google chrome has been doing pinning for a while - it just means a recent firefox can safely download chrome - assuming you were able to get a recent firefox that wasn't compromised already!

2 years ago

@s243a For what it's worth, the SHA1 fingerprint for www.google.com for me is A8:30:76:0C:FC:A9:53:D7:98:84:B1:FD:E3:F6:B7:E0:A0:A5:B0:AB. If that matches what you see, it leaves the following scenarios: That's really their cert, I've fallen prey to the same MitM injection as you, or I'm the person attacking you. :)

2 years ago

@Paracelsus_Clemens That's the same fingerprint I'm getting, stop attacking me. :-)

2 years ago

@Adilson_Lanpo What if browser is hijacked? Then the fact that chrome knows it's TSL certificate key be circumvented? Perhaps a p2p method is needed as a secondary method to verify TSL certificates. This story seems related: "Are Apple, Google, Microsoft And Mozilla Helping Governments Carry Out Man-In-The-Middle Attacks? by glynmoody posted on techdirt" techdirt.com/…/are-apple-google-microsoft-mozilla-helping-governments-carry-out-man-in-the-middle-attacks.shtml to my original question.

2 years ago